Ker­ber­os

Most of the IRB web services support passwordless single sign-on via Kerberos. This is both more practical to use and more secure than logging in with a username and password.

In order to increase the security of access and to additionally protect the access data of our users, SSH access via password is also disabled on both servers and pool computers.

For technical reasons, SSH keys cannot currently be stored on pool computers, which is why we recommend access via Kerberos. Servers can be accessed using both Kerberos and SSH keys.

Below you will find a series of instructions for the institution of Kerberos and its use in your operating system and various software.

Setting up Kerberos

In order to set up Kerberos under Linux, the necessary software must first be installed. This can usually be found as "krb5" (archlinux, nixos) or "krb5-user" (debian, ubuntu) in the repositories of your distribution. To simplify use, it is also advisable to store the following content in the "/etc/krb5.conf" file:

[libdefaults]

default_realm = UNI-PADERBORN.DE

forwardable = true

ticket_lifetime = 10h

renew_lifetime = 7d

dns_lookup_realm = true

dns_lookup_kdc = true

Before the first login, it is then necessary to get a ticket with "kinit example" (or "kinit -f example@UNI-PADERBORN.DE" if not configured as above), where "example" is the username of your Paderborn University account. Enter the password of your IMT account as the password. The ticket is then valid for 10 hours.

Login via SSH

To log in with Kerberos via SSH, it is necessary to explicitly activate this authentication method. To simplify use, it is recommended to store the following in the "~/.ssh/config" file, where "example" should be replaced by your IMT user name:

Host *.cs.upb.de *.cs.uni-paderborn University.de

GSSAPIAuthentication yes

GSSAPIDelegateCredentials yes

User example

Host *.cs.upb.de *.cs.uni-paderborn University.de,!sshgate.*,!git.*

ProxyJump sshgate.cs.uni-paderborn University.de

You can then log in to the respective host via "ssh example.cs.uni-paderborn University.de" (provided you have obtained a ticket as described above), even without a VPN.

Setting up Kerberos

To set up Kerberos under Windows, you can refer to the ZIM instructions for setting up single sign-on. Please note that you can skip the chapter "Configuring the desired application" if you only want to set up SSH access.

Login via SSH

To be able to establish a connection to your VM under Windows using SSH, you need additional software. One such software is PuTTY. Please refer to the IMT's instructions for setting up PuTTY.

Firefox supports the Kerberos login natively. All you need to do is set the option "network.negotiate-auth.trusted-uris" in the "about:config" page to "uni-paderborn.de,upb.de,cs.uni-paderborn.de".

As long as you have Kerberos institutionalised and have a valid ticket (see OS-specific instructions above), you should then be able to log in to most Kerberos-enabled IRB services without entering a password.

To use Kerberos with Google Chrome, the "AuthServerAllowlist" policy must be configured. This is done via a JSON file (e.g. kerberos.json) in the /etc/opt/chrome/policies/managed/ folder (or /etc/chromium/policies/managed/ for Chromium):

{
"AuthServerAllowlist": "*.uni-paderborn.de"
}

It is also necessary that the krb5 package is installed in the system.